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1.0 (U) Analysis Summary 


(S//NF) This summarizes what appears to be a briefing slide deck on persistence. The content of 
the briefing deck is truly a mixed bag of basic generalized persistence techniques, fairly 
sophisticated persistence methods, and theoretical persistence methods that are complex in the 
extreme. The latter category pushes the scope of effort to research and implement beyond PoC 
recommendations. The middle category, fairly sophisticated persistence methods, holds some 
promise for multiple PoC recommendations but we recommend we convene a specific meeting 
of the Pique team to discuss and triage each, which include: 


# File replacement — replace autostart service .DLL in registry, then on start-up actively proxy 
invocations of Dl[Main() and ServiceMain(). Or replace existing COM control in 
HKCR\CLSID\{ GUID }\InprocServer32, subclass the control’s methods, and proxy 


# File displacement — rather than replace a file on disk, modify a registry key (ServiceDIl, 
InprocServer32 default value, or equivalent), the proxy instantiation 


= File displacement via loader preference — (Windows .DLL search order), .DLL search order 
favors the local directory over system32. The shell (explorer.exe) is in C:\Windows, not 
system32. 


= Other subsystems to consider: 
a Print spooler drivers 
0 Winlogon, LSA, Crypto providers, and authentication providers 
0 .NET assemblies 
10 Input method editors 
o Sidebar gadgets 
0 MIME types, and protocol handlers 
o Plug-ins 
» Subsystems with their own stacks: 
0 Windows messages 
0 Image codecs 
1. Directshow filters 
0 WEP drivers 
0 Filesytem filters 
o ~©6Any driver with IRP_MJ handlers 


(S//NF) We recommend a specific meeting be called to discuss each of these approaches to 
persistence to determine which makes most sense for PoC development consideration as all have 
potential. 
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2.0 (U) Description of the Technique 


(S//NF) The techniques to discuss and consider for PoC development revolve predominantly 
around file replacement/displacement and proxying the original functionality once substituted. 


3.0 (U) Identification of Affected Applications 
(U) Windows primarily, but not exclusively. 

4.0 (U) Related Techniques 

(S//NF) Persistence. 

5.0 (U) Configurable Parameters 

(U) Varied. 

6.0 (U) Exploitation Method and Vectors 


(S//NF) No exploitation methods or attack vectors were discussed in this report. 


7.0 (U) Caveats 

(U) None. 

8.0 (U) Risks 

(S//NF) TBD depending on which methods, if any, are recommended for PoC development. 
9.0 (U) Recommendations 


(S//NF) We recommend a specific meeting be called to discuss each of these approaches to 
persistence to determine which makes most sense for PoC development consideration as all have 
potential. 
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